Tuesday, November 8, 2011

openpam trickery

While reviewing an entirely different server side componentof some code, I came across a funny vulnerability insideOpenPAM (note that this is different from Linux-PAM)as used in FreeBSDor Solaris. Yet, I only tested it ona FreeBSD 8.1 machine. The bug is that a program,namely kcheckpass, which is suid to root, is callingpam_start() with a user provided argument which makesthe PAM stack parse user ownedconfig files which ends in loading of userprovided DSO's. WTF?!

Interestingly, OpenPAM recently introduced a filter forthe service name via

[Update:] Solaris is not using OpenPAM (at least the OpenSolarisversion I checked), but I could not find code that stripsoff certain character sequences. As the PAM setup is differentfrom the /etc/pam.d we know it is possible that there are noconsequences if the service argument is not filtered.However a lot of BSD derivatesuse OpenPAM and OSX as well. The question is whether one canfind a vector different than the kcheckpass which is usuallyfound with all KDE3 and KDE4 installs.If you can confirm vulnerability on any Solaris or non-FreeBSDmachine, please let me know. Also if you found out how OSXcan be exploited this way.